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Declining resources, new delivery models for education, 
questions regarding the value of research, issues surrounding 
athletics, physical security threats, and slowing demand for 
college graduates represent only a few of the risks on the 
horizon for colleges and universities. Higher education is trans- 
forming rapidly, creating both opportunities and threats for 
academic institutions. 

Faced with these new challenges, some institutions are 
reexamining how they identify, assess, and manage risks by 
embracing a more robust, top-down view of all types of risks. 
Business officers, who have an enterprisewide perspective, 
can provide leadership roles in strengthening the robustness 
of their institutions’ risk oversight processes through enter- 
prise risk management (ERM). 

Why Is ERM Needed? 

Overthe past decade, the corporate community, nonprofits, 
and some institutions of higher learning have embraced ERM 
as a new way of identifying and managing risks. The explosion 
of the dotcom era, the recession of the early 2000s, the 9/11 
terrorist attacks, the crash of Enron and WorldCom, among 
other events, threatened the performance of all types of 
organizations, including colleges and universities, in response, 
a number of constituencies began calling for new approaches 
to risk oversight. 

New governance rules issued by the New York Stock Exchange 
in 2004, expanded SEC disclosure rules about the board’s role 
in risk oversight, and heightened scrutiny of risk management 
processes by major credit rating agencies throughout 
the mid-2000s put extensive pressure on organizations, 
particularly publicly traded companies, to rethink their risk 
management practices. The financial crisis that emerged in 
2008 revealed major risk-taking exposures that were being 
poorly managed in ail kinds of entities. These events, among 
others, have motivated boards and senior executives to invest 
in new processes and infrastructures to better understand 
the key risks their organizations face. While initially targeted 
toward public companies, risk oversight expectations for 
boards and senior executives have quickly trickled down as 
emerging best practices for all types of organizations, including 
institutions of higher learning. 


in 2004, the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO) issued its 2004 Enterprise 
Risk Management-Integrated Framework, which provides a 
principies-based framework that boards and management 
might use to strengthen their enterprise-level view of risks 
perceived to be most likely to influence the organization. 
COSO’s framework defines ERM as “a process, effected by the 
entity’s board of directors, management, and other personnel, 
applied in strategy setting and across the enterprise, designed 
to identify potential events that may affect the entity, manage 
risks to be within its risk appetite to provide reasonable 
assurance regarding the achievement of entity objectives. 

ERM is designed to be a process that provides a top-down, 
holistic view of those risks that are most likely to threaten the 
organization’s ability to achieve its strategic objectives. 

Is ERM Relevant for Institutions? 

Some skeptics argue that ERM is a corporate issue. Others 
may dismiss ERM as a fad created by consulting firms 
interested in selling services, with little value-adding 
potential. A few may convince themselves that they are doing 
ERM-related thinking as part of their normal day-to-day 
management responsibilities. These skeptics fail to see risk 
oversight as an important strategic tool fortheir institutions 
and think of risk management as merely a compliance or 
loss-prevention activity. 

Figure 1 Huge Management Challenge 
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Eigure 1 illustrates examples of risk drivers for colleges and 
universities today, and this landscape is likely to alter drastically 
over the next decade. As you look at all of these risk drivers at 
an enterprise level, you begin to realize the huge challenge 
facing college and university leaders as they respond to this 
unfolding risk universe. 
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Now bring this home to your institution. As you look at each of 
these risk issues on the horizon, ask yourself these questions: 

1. How would you score (on a scale of i to lo, with i being 
the weakest) your institution’s capabilities in managing 
each of these example risks? 

2. How would scores from other executives orthe board of 
trustees at your institution compare to your assessment? 

3. How easy would it be to articulate your institution’s 
process for managing risks? 

4. How is risk management viewed at your institution along 
the following continuum? 

M ► 

Compliance or Strategic Tool 

Loss Prevention Value Creating 

5. if asked to identify the top 10 most significant risks 
facing your institution overthe next three to five years, 
what process would provide the basis foryouranswer? 

6. If you were to ask other executives at your institution 
fortheir list of the top 10, to what extent would you find 
similarities and differences? 

As you consideryour responses to these questions, think about 
how your colleagues orthe board might respond. It might be 
helpful to ask some of them for their perspectives to determine 
if they arrive at the same conclusions. 

Using ERM as a Strategic Tool 

What prevents organizations from strengthening their 
approach to risk oversight? One barrier is the lack of under- 
standing of the strategic relevance of ERM. They view risk 
management as a compliance activity-such as internal audit’s 
review of compliance with policies or procedures-or a loss 
prevention technique-such as the purchase of property or 
casualty insurance. They fail to see ERM as a strategic tool. 

Ironically, most business officers embrace the interconnectivity 
of risk and return. They realize that in orderto advance in life, 
you must be willing to take risks. Despite understanding the 
fundamental reality that risk and return are connected in a 
hand-in-a-glove relationship, they fail to manage and monitor 
both sides of the risk/return equation, leading to an imbalance. 
Think about all the financial reporting systems, budgeting 
processes, annual evaluations, strategic plans and forecasts, 
and other systems used to measure and report performance. 


Now think about the infrastructure for the risk side of the 
equation. Is risk management relegated to pockets at lower 
levels of the organization, which rarely see the light of 
executive management discussions? When this happens, 
university leaders miss the strategic connection of risk 
management and strategy execution. 

Remember: ERM is all about the strategy. The reason to 
invest in more robust identification and management of 
risks is to increase the likelihood that your institution and 
its leaders will achieve the objectives you are working hard 
each day to accomplish. The more aware they are of risks on 
the horizon, the more likely your leaders will be in a position 
to navigate those risks to keep the university’s strategies on 
track for success. 


Figure 2 Strategic View of Risk Management 
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Take a look at the diagram in Eigure 2. The blue box on the 
left reflects all the great activities that currently drive value, as 
well as new strategies to enhance the value of the university. 
The blue box to the right reflects the performance that will be 
observed in, say, three to five years. The diagram indicates that 
the world we live in today will look quite different tomorrow 
given unfolding uncertainties. As the world changes, risks could 
threaten the institution’s performance. So, the real question to 
consider is in the center rectangular box: What is the process 
for monitoring and responding to emerging uncertainties 
surrounding your institution’s core value drivers and new 
strategic initiatives? 

So, how would you respond? Eorsome institutions, the process 
is ad hoc and unstructured. Managers mostly use their gut 
instincts to identify and assess risks. More importantly, they 


Observe 

Performance 

Later 


2 


Enterprise Risk Management Can Be a Strategic Opportunity 








find that there is minimal structure and dialogue among senior 
executives and boards of directors to determine if the ad-hoc 
risk analysis is generating an accurate and complete picture of 
risks on the horizon orwhetherthere is even consensus about 
the most important risks facing the institution. 

Understand Your Success 

Once they recognize the need to strengthen the enterprise- 
wide risk management processes, executives may wonder 
where to start. Some dive in by asking business unit leaders 
to describe risks and then they populate that information into 
some sort of risk inventory or risk universe. When they get to 
that point, they may become frustrated, wondering about the 
relevance of all this risk information and what to do next. 


that we can centerthe identification and assessment of risks 
using a strategic lens. 

Before starting down the risk identification and assessment 
process, we make sure managers have a rich strategic view of 
the enterprise so that they can focus on identifying and priori- 
tizing those risks most critical to the institution’s long-term 
strategic mission. The box on the far-right side of Figure 4 
labeled “Mission and Brand of the University” reflects what 
most universities value and work to maintain and enhance 
each day. in essence, that box indicates what might be one 
of any institution’s most important strategic goals: to protect 
and enhance the value of the institution’s mission and brand. 
The goal of ERM is to then identify risks that might impairthe 
achievement of that goal and others. 


Before beginning any ERM effort, leaders must first under- 
stand what drives the institution’s success today and what 
strategies are on the horizon that will protect and add value. 
The process we use when working with organizations is illus- 
trated in Eigure 3. 



Sojrce; The Committee of Sponsoring Organizations of the Treadway Commission 


Follow a Six-Step Process 

Once you know what is responsible foryour institution’s 
current success, you are ready to jump-start your institution’s 
enterprise risk process by taking six steps: 

1. Understand the drivers of your institution’s mission 
and value. We begin any ERM effort by helping management 
articulate the current key business drivers and new strategic 
initiatives that are being implemented to drive enhancements 
to the value of the organization. We start with a comprehensive 
big-picture understanding of what makes the institution tick so 


Figure 4 Identify Business Drivers and New Initiatives 




Source: ERM Initiative, Poole College of Management, North Carolina State University (www.erm.ncsu.edu) 


We encourage leaders to specifically identify the core drivers 
they considerthe institution’s “crown jewels,” as illustrated by 
the three yellow boxes in Eigure 4. The red boxes contain 
hypothetical examples of what might be current value drivers, 
in this example, the institution is a flagship university with 
extensive state funding, a world-renowned faculty, and a 
national student applicant base. 

in addition to understanding the institution’s crown jewels, 
leaders should be able to pinpoint specific initiatives contained 
in the current strategic plan that are being implemented over 
time to enhance the value of the institution. Eor example, 
the three dark grey boxes in Eigure 4 contain hypothetical 
strategic initiatives that include efforts to promote research 
in emerging technologies, to embrace new flexible teaching 
delivery models, and to increase international partnerships. 
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Business officers can readily envision the big-picture view of 
the institution. As the leaders of the budgeting and finance 
function, they already understand the relationships between key 
activities and what drives value through the generation of funds 
and resources and how costs and efficiencies forthe institution 
are achieved. Given the importance of starting with an under- 
standing of this big-picture view of the institution, business 
officers are uniquely positioned to take on ERM leadership roles. 

In the corporate world, ERM leadership commonly resides 
in finance and accounting functions, with CEOs and heads 
of the internal audit function frequently leading the efforts. 
Because of the relationships those executives have with the 
audit committee of the board of directors, responsibility for 
governing risk management processes is frequently assigned 
to the audit committee of a board. 

To help your institution complete a risk and strategy 
perspective like that in Eigure 4, you might try thinking about 
your core business drivers and new strategic initiatives along 
two primary themes: 

What must go right for your institution to sustain the 
success of each of its core business drivers and new 
strategic initiatives? Questions that might help prompt 
answers include: 

a. What are the key inputs needed overtime forthe core 
driveror new initiative to retain its strategic value? 

b. What are the key processes and technologies that 
must be sustainable forthat core driveror new 
strategic initiative to achieve and retain its value for 
the business? 

c. Who are the key suppliers, employees, customers, 
or regulators important to each core driver or new 
strategic initiative, and what must occurto ensure 
the contributions and expectations of these key 
players are sustainable? 

What assumptions are being made by management 
about the ability of the institution to obtain value 
from each current business driver and new strategic 
initiative over the longterm? 

a. How are those assumptions developed? 

b. What ensures the assumptions are accurate and 
reliable? 

c. Who monitors those assumptions for changes? 


Questions such as these and others can be addressed through 
management interviews, surveys, or workshops that prompt 
executives to develop a rich understanding of key value 
drivers. This strategic understanding provides the foundation 
to now begin identifying potential risks. 


2. Think about risks to value drivers. Qnce you have a 
consensus understanding of the institution’s core business 
drivers and its new strategic initiatives on the horizon, you 
are now positioned to approach the risk identification and 
assessment process using a strategic lens. ERM can help 
business officers pinpoint the most significant risks to the core 
business drivers and strategies of the institution. The purpose 
is to identify and prioritize those risks that are most critical to 
the ability to continue generating value from existing crown 
jewels or to achieve the value envisioned for each of the initia- 
tives in the institution’s strategic plan, as illustrated by Eigure 5. 


Figure 5 Identify Business Drivers and New Initiatives 
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Source: ERM Initiative, Fbole College of Management, North Carolina State University (www.erm.ncsu.edu) 


To help populate risks to the institution’s business model and 
strategy, executives might be asked to think about answers to 
these questions for each of the crown jewels or new strategic 
initiatives: 

What risks might emerge that could threaten critical 
elements of the institution’s core business drivers 
and new strategic initiatives over the next two to 
three years? 

a. What might emerge that limits or eliminates access 
to key inputs that will be needed forthe core driver 
or new initiative to retain its strategic value over the 
next several years? 

b. What might emerge that restricts, eliminates, or 
displaces the organization’s ability to sustain key 
processes and technologies? 


4 


Enterprise Risk Management Can Be a Strategic Opportunity 






perspectives... Presenting Thought Leaders’ Points of View 




c. What might influence the contributions and avail- 
ability of key players, such as suppliers, employees, 
customers, and regulators, to this process? 

What might trigger changes in factors that support 
management’s key assumptions about the ability to 
sustain its core business drivers and new strategic 
initiatives? 

Leaders can use a number of techniques to encourage this 
kind of thinking, such as interviews with key executives, 
management workshops, or surveys. When NC State launched 
its ERM process in 2011, we chose to conduct one-on-one 
interviews of senior executives, deans, and those in critical 
leadership roles, such as athletics and security. Other organiza- 
tions have used risk workshops in which executives are asked 
these kinds of questions, followed by discussion to fine tune 
understanding of each risk. 

Whatevertechnique you select, you will want to engage execu- 
tives in thinking about risks they see on the horizon that might 
impact the university’s core business drivers or new strategic 
initiatives overtime and then compile those responses to 
create a risk universe. 

Some institutions have found conducting a pre-mortem 
analysis helpful. Using this technique, individuals think 
about a negative outcome that might be realized in the 
future so that management can then engage in prospective 
hindsight analysis about what might have occurred to cause 
that outcome. Take a look at Figure 6, which reflects a 
hypothetical news article in Business Officer five years from 
now that reports a negative outcome at your institution. The 
pre-mortem analysis would help executives begin to explore 
what might explain the occurrence of this negative event. 

Figure 6 “Pre-Mortem” Analysis 


BUSINESS 

OFnCER 


July 1, 2018 

New York - Just five years ago, 
the reputation and brand of 
faculty and students at Your 
University were at all time highs 
with no end in sight. 

What a difference a half a 
decade makes, with Your 
University’s reputation and 
brand significantly tarnished 

Identify 3 of the most like causes for your college or university 


3. Assess risk probabilities and impacts. When executives 
start thinking about risks they see on the horizon, they 
sometimes suddenly realize that the number of risks in their 
institution’s universe can reach hundreds orthousands of 
potential events. Overwhelmed with too much risk detail, they 
lose sight of what to do next. 

The board and senior executives can only practically manage 
io to 20 major risk areas orthemes. So one of the objectives 
of the risk assessment process is to engage management 
in a process to prioritize risks into Tien (top lo) and Tier 2 
(top 11 to 20) lists of risks. To assess and prioritize risks, you 
can interview executives about specific risk probabilities and 
impacts. Another option is to sponsor risk workshops where 
executives use anonymous voting technologies to score 
specific risks along probability and impact dimensions. NC 
State used a survey approach in which executives responded 
anonymously to an online survey by scoring about 50 risks 
along a number of dimensions, including probability, impact, 
and preparedness for managing the risk. 

The key to the success of any of these approaches is providing 
guidance to help executives think about probability and 
impact. Figure 7 shows the five-point scale provided to NC 
State executives to assess probability of each risk, and Figure 
8 contains the five-point scale used to assess impact. Notice 
the scale for impact helps prompt management to think about 
a number of dimensions that a risk might have, such as how a 
risk might influence changes in funding, quality of students, 
faculty recruitment and retention, media attention, peer 
rankings, and endowment/development goals. 

Figure 7 Ukelihood Scale 

Rare: Less than 5% chance of 
occurrence: very surprised if 
this were to happen. 

Unlikely: 5%-25% chance of 
occurrence: surprised if this 
were to happen. 

Occasional: 26%-49% chance of 
occurrence: approaching a toss-up. 

Likely: 50%-74% chance of 
occurrence: surprised if this 
were not to happen. 

Almost certain: 75% or greater 
chance of occurrence; very 
surprised if it did not happen. 
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FIGURE 8 Impact Ratings 
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Having the institution’s key leadership team provide individual 
assessments of risks on the horizon from a probability and 
impact perspective ultimately leads to a consensus under- 
standing of the institution’s Tien and Tier2 risks. Going 
through this process helps management determine which risks 
are of greatest priority to manage. 

4. Develop Responses to Key Risks. Most ERM frameworks 
outline four potential responses to potential risks: 

Tolerate. Because some risks are worth taking, 
management accepts the risk as is. 

Terminate. Certain risks are unacceptable so leaders 
stop or prohibit whatever activity or business process is 
triggering the potential forthese risks. 


5. Monitortop risk exposures. The development of key risk 
indicators will help management keep an eye on each Tier i 
and Tier2 risk conditions. 

Business officers are very familiarwith key performance 
indicators, which measure an institution’s historical perfor- 
mance, often by the month, quarter, oryear. By design, 
key performance indicators reveal a risk event after it has 
occurred, which leads to reactive versus proactive risk 
management. 

Key risk indicators provide a forward-looking picture, in 
essence, they are designed to help management have a “peak 
around the corner” of risks that are beginning to emerge 
before they have an impact on the institution. While they can 
be based on internal information, often the most effective and 
relevant key risk indicators require analysis of data outside the 
institution. 

For example, to address risk concerns about recruitment 
and retention of key faculty talent, a university may want 
to measure demographics about the number of individuals 
entering and exiting PhD programs across the U.S. or national 
forecasts of faculty retirements for research and teaching 
fields critical to the institution. Monitoring these kinds of 
trends helps position management to be in a proactive versus 
reactive posture for responding to risks, as illustrated by 
Figure 9. 


Transfer. Sometimes risks can be shared with other 
entities through insurance, joint ventures, or outsourcing. 

Treat. Leaders may decide to reduce the exposure to the 
institution by implementing new processes or controls. 

Business officers are uniquely positioned to help manage the 
organization’s responses to the most significant risks. For 
example, some responses require a reallocation of budget 
dollars from iow-risk areas to high-risk areas. Business officers 
can provide perspective on how resources might best be used. 

Similarly, because they track, consolidate, and report financial 
and operating information from business units across campus, 
business officers can observe duplications orotherineffi- 
ciencies in efforts by various business units to manage the 
risks. They also may find cost savings by asking business units 
with similar risks to partner together in their responses at a 
consolidated level ratherthan individually managing similar 
risks at each business unit. 


Figure 9 KRIs to MonitoF Emerging Risks 




Source; ERM Initiative, Poole College of Management, North Carolina State University (www.erm.ncsu.edu) 


Given their extensive experience in identifying, measuring, and 
reporting financial and operating performance data, business 
officers are uniquely qualified to identify and measure data 
that might serve as effective key risk indicators. And because 
they already assemble reports and dashboards of perfor- 
mance data for management and the board, business officers 
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can readily expand their reports and dashboards to include key 
risk indicators. 

6. Assess the culture. Well-intended efforts to strengthen 
risk oversight occasionally fail, usually because executives 
fail to embrace the importance of effective risk management. 
They may believe other, more important priorities compete for 
theirtime and attention, they may not see the strategic value 
of ERM, orthey may conclude that the institution just doesn’t 
have the dollars, people, or software to do it. 

Before investing time and energy leading an ERM process, 
business officers should honestly assess the culture and tone 
at the top. Without senior executive leadership and support, 
ERM cannot realize its potential. 

At some institutions, the board of directors may be the impetus 
to strengthen risk oversight, it was inquiry from the chair of NC 
State’s Audit, Einance, and Planning Committee of the Board of 
Trustees that prompted management at NC State to start its 
ERM process. 


A Never-Ending Process 

As they begin their ERM journey, business officers should not 
think of enterprise risk management as a project or software 
that needs to be installed by some set point in time. While 
activities surrounding the initial launch can be viewed as a 
project, business officers should consider ERM as a process 
that is ongoing and never-ending. 

Why? Because risks constantly evolve and change, so 
managing with that in mind requires a continuous living 
process that helps executives navigate the risk landscape as 
it unfolds, ensuring that core value drivers and new strategic 
initiatives stay on track. 


About the Author 

Mark S. Beasley is the Deloitte Professor of Enterprise Risk 
Management and director of the ERM initiative in the Poole 
College of Management at North Carolina State University, 
Raleigh. To access more than 350 articles, thought papers, 
research, and other ERM implementation resources, visit the ERM 
initiative’s website www.erm.ncsu.edu. 

(Mark_Beasley@ncsu.edu) 


Enterprise Risk Management Can Be a Strategic Opportunity 


7 




